Can't upload pics after patching exploit (functions_gallery_imageedit)

[Swamper]

I have a client running vBGallery 2.0 -- patched the file as described and now whenever I try to upload a pic I get:

"No Image specified. If you followed a valid link, please notify the administrator"

When I choose to upload it from a directory on the server it then puts an entry in the database - but - no image comes up when clicked -- doesn't even bother to copy it over to the proper dir so there's the reason.

gallery/files is chmodded -R 777 -- this all worked fine before patching that file, not sure what the issue is - I'm stumped!

Have 2 errors in the error log:

Quote:

File does not exist: /var/www/vhosts/foo.com/httpdocs/forum/gallery/foo, referer: http://www.foo.com/forum/gallery/upload.php

script '/var/www/vhosts/foo.com/httpdocs/forum/gallery/cron.php' not found or unable to stat, referer: http://www.foo.com/forum/gallery/upload.php

Looks like a path issue but everything seems correct in the settings. Worth noting: the first error is a directory present in /forum -- why is it looking for it in /forum/gallery ? Same goes for cron.php

Help! thanks

[maniac]

I'm having the same issue on my install - when a user tries to upload they get the same message

[Black Cobra]

am also having the same problem

[Zachariah]

Try this out:
/forums/includes/functions_gallery_imageedit.php

Find:

Code:

Content visible to verified customers only.

Replace:

Code:

Content visible to verified customers only.

Find:

Code:

Content visible to verified customers only.

Replace:

Code:

Content visible to verified customers only.

[Zachariah]

I was doing testing w/ non alphanumeric characters and the 1st revision of the code wiped every thing out of the file name. ".jpg" and saved.

- Now I added a failsafe, if file is totally striped of the name generate one with md5().

- also updated more filenames to ban.

Let me know.

[maniac]

Nope - that didn't help..

Thanks for the suggestion though.

Still get the "No image specified error:

[Zachariah]

Shoot me some ftp / adminCP access via PM.
- i'll take a look

[twitch]

well, my problem is actually different, sorry!

[Swamper]

Same problem happening here even after the above fix....

[Zachariah]

Quote:

Originally Posted by Swamper

Same problem happening here even after the above fix....

Ok I logged in.
- your gallery/files folder has no ownership.
- owner: (?) they end to be owned by your login username.

I could not chmod 777 with my ftp client: Error-> no permission..

You will need to do this in CPanel or SSH.
-----------------------------

There was another member that did a command line gzip site backup/restore and sent it to the new server.. the problem is.. he was logged in as root.. so all permissions got set to "root"

Once the ownership of the files/folders were change to the current user logged in then chmod all other operations were ok.

[maniac]

I checked my directory permissions and they are correct - still having issue...

[Swamper]

Quote:

Originally Posted by maniac

I checked my directory permissions and they are correct - still having issue...

I had to make sure all directories in gallery/files were chmodded 777 - then it worked for me.

Thanks Zachariah.

[abuhish]

am also having the same problem

[Zachariah]

Error in order of operations.
/forums/includes/functions_gallery_imageedit.php


Move

Code:

Content visible to verified customers only.

Above:

Code:

Content visible to verified customers only.

[maniac]

Code is already above specified comment; And all of my upload directories are 777...

Quote:

Originally Posted by Zachariah

Error in order of operations.
/forums/includes/functions_gallery_imageedit.php


Move

Code:

Content visible to verified customers only.

Above:

Code:

Content visible to verified customers only.

[maniac]

Zachariah - just saw you uploaded an image...

I'll run a few tests and let you know if all is OK; thanks.

[maniac]

I ran a few tests and only admins can upload...

Gallery was running smoothly until the patch - I checked all permissions and nothing has changed.

WHen regular members try to upload thy get the error message...

[Luciano]

stupid question.. is this issue fixed now? if yes.. was it the stripos function? (that has to be outside all functions to work.. so that fix is mandatory anyway - but only for php versions lower that 5.0x)

Luc